Try it out: encrypt used space only

Applies to: Windows 8, Windows 8.1

A hardworking CEO decides to bring her work home with her, so she copies several confidential documents to a USB flash drive. When she pulls her car keys from her purse, the flash drive falls into the parking lot. What happens next depends on a choice the CEO made while back in the office:

If she enabled BitLocker, she’s lost a night of productivity and a $10 flash drive.

If she didn’t enable BitLocker, the company could lose millions if the confidential documents end up in the wrong hands.

Of course, the CEO should have enabled BitLocker, but how many CEOs do you know that are willing to wait half an hour while BitLocker encrypts their flash drive?

With Windows 8, BitLocker is up to 99 percent faster, depending on how many files are stored. If you have a new drive or just a few files on an existing device, Windows 8 can encrypt a new flash drive in less than a minute.

When you encrypt a drive with Windows Vista or Windows 7, BitLocker encrypts every bit of space on the drive, even if it’s not in use. Windows 8 introduces Used Disk Space Only encryption, which gives you the option to encrypt only space on the drive that is actively being used.

Try it for yourself. Grab a flash drive, any flash drive, and copy some files to it. Then, encrypt it both with and without Used Disk Space Only encryption, and compare how long each takes. If you haven’t used BitLocker before, this article will walk you through the process, step-by-step. At the end of the article, we’ll share our own test results with different flash drives and data.

Encrypt an entire drive

First, encrypt an entire flash drive to see how long the process takes:

On the Choose How You Want To Unlock This Drive page, select the Use A Password To Unlock The Drive checkbox. Type a password in both boxes, and then click Next.

On the How Do You Want To Back Up Your Recovery Key page, select Save To A File, and save the file to your PC. Click Next.

On the Choose How Much Of Your Drive To Encrypt page (which is new in Windows 8), select Encrypt Entire Drive. Click Next.

On the Are You Ready To Encrypt This Drive page, click Start Encrypting.

Get comfortable, because this could take 20-30 minutes. Once encrypting is complete, follow these steps to determine how long encryption took:

On the Start screen, type eventvwr.msc and press Enter to open the Event Viewer console.

In the left pane, select Windows Logs\System.

Browse the recent events with a Source of BitLocker-Driver. Find the event with the description Encryption Of Volume Started and note the time. Then, find the event with the description Encryption Of Volume Completed, and make note of how long it took.

We’ll present our own results from several different tests at the end of this article.

Turn BitLocker off

By repeating the test using the same drive and data, we can eliminate variables that might impact our results. Follow these steps to reset your flash drive so we can perform the same test using Used Disk Space Only encryption:

On the Choose How You Want To Unlock This Drive page, select the Use A Password To Unlock The Drive checkbox. Type a password in both boxes, and then click Next.

On the How Do You Want To Back Up Your Recovery Key page, select Save To A File, and save the file to your PC. Click Next.

On the Choose How Much Of Your Drive To Encrypt page, select Encrypt Used Disk Space Only as shown in Figure 1. Because this option won’t encrypt remnants of previously edited or deleted files, you would normally only use this option if the drive was new or had never had confidential data on it. Click Next.

Figure 1: Selecting Encrypt Used Disk Space Only can save more than an hour.

On the Are You Ready To Encrypt This Drive page, click Start Encrypting.

When encryption is complete, return to Event Viewer and find the entries indicating when encryption started and stopped.

How do your results compare? Unless you filled the drive, encryption should have been much faster with the Used Disk Space Only option selected. The next section shows our own test results.

Our results

Everyone should try this test on their own; it’s fun and the results show dramatic improvements. This table shows our own times in a variety of different scenarios, all on a mid-range mobile PC.

Flash drive

Full encryption time

Used Disk Space Only encryption time

Improvement

8 GB USB 2.0 drive with 1 MB of data

25 minutes, 26 seconds

0 minutes, 56 seconds

96% faster

8 GB USB 2.0 drive with 4 GB of data

28 minutes, 25 seconds

16 minutes, 28 seconds

42% faster

32 GB USB 3.0 drive with 1 MB of data

24 minutes, 30 seconds

0 minutes, 18 seconds

99% faster

32 GB USB 3.0 drive with 4 GB of data

26 minutes, 50 seconds

5 minutes, 48 seconds

78% faster

Conclusion

Convenience and security are inseparable. The easier a security feature is to use, the more users will take advantage of it. By making BitLocker encryption faster, we hope more people will use it, and ultimately, everyone’s confidential data will stay secret. Note, however, that you should only use the Used Disk Space Only encryption option if confidential data has never been stored on the drive in the past. If the drive has previously had confidential files on it that were deleted, you should still encrypt the entire drive to prevent an attacker from recovering data from the now unused parts of the drive.

You can use Group Policy to require BitLocker encryption for removable flash drives by enabling the Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny Write Access To Removable Drives Not Protected By BitLocker policy. That policy works for Windows 7, too, but many users became frustrated waiting 20-30 minutes for BitLocker in Windows 7 to encrypt their flash drive. With Windows 8 and Used Disk Space Only encryption, the waiting time for new flash drives is less than a minute, providing security without inconveniencing users.

BitLocker in Windows 8 includes several other improvements, too:

Single Sign-On. Windows 8 certified tablets that support all Connected Standby hardware requirements can be protected from DMA port-based cold boot attacks without the need for pre-boot authentication protectors such as PIN.

Brute Force Protection. Windows sign-in is now protected with enhanced brute force protection using BitLocker technology. This optionally configured feature will put the device into BitLocker recovery mode when a brute force attack on the Windows sign-in is detected. This renders the device unbootable until an authorized user unlocks it with the 48-digit BitLocker recovery key.

BitLocker Pre-provisioning. When deploying Windows 8 to new PCs, administrators can now enable BitLocker before installing Windows, reducing deployment times by hours or even days.

Standard User PIN and Password Change. Users can now reset their BitLocker PIN or password without administrative privileges, reducing support tickets.

Network Unlock. PCs with BitLocker-protected system drives that require a PIN or smart card to start can now restart without a PIN or a smart card when connected to the internal network. This allows administrators to remotely restart PCs for maintenance or updates.